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To  protect  the  privacy  of  personally  identifiable  health  information. 


IN  THE  HOUSE  OF  REPRESENTATIVES 


May  25,  1999 


Mr.  CONDIT  (for  himself,  Mr.  Waxman,  Mr.  MARKEY,  Mr.  DlNGELL,  Mr. 
Brown  of  Ohio,  Mr.  Turner,  Mr.  Lantos,  Mr.  Cramer,  Mr.  Wise,  Mr. 
Owens,  Mrs.  Tauscher,  Mr.  Towns,  Mr.  Shows,  Mr.  Kanjorski,  Mrs. 
Mink  of  Hawaii,  Mr.  Sanders,  Mrs.  Maloney  of  New  York,  Ms.  Nor- 
ton, Mr.  Fattah,  Mr.  Cummings,  Mr.  Kucinich,  Mr.  Blagojevich, 
Mr.  Davis  of  Illinois,  Mr.  Tierney,  Mr.  Allen,  Mr.  Ford,  Ms. 
SCHAKOWSKI,  Mr.  Romero-Barcelo,  and  Mr.  Stupak)  introduced  the 
following  bill;  which  was  referred  to  the  Committee  on  Commerce,  and 
in  addition  to  the  Committee  on  Government  Reform,  for  a  period  to  be 
subsequently  determined  by  the  Speaker,  in  each  case  for  consideration 
of  such  provisions  as  fall  within  the  jurisdiction  of  the  committee  con- 
cerned 


To  protect  the  privacy  of  personally  identifiable  health 

information. 


2  lives  of  the  United  States  of  America  in  Congress  assembled, 

3  SECTION  1.  SHORT  TITLE;  TABLE  OF  CONTENTS. 


A  BILL 


i 


Be  it  enacted  by  the  Senate  and  House  of  Representa- 
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(a)  Short  Title. — This  Act  may  be  cited  as  the 


5 


Health  Information  Privacy  Act". 


2 


1  (b)  Table  of  Contents. — The  table  of  contents  for 

2  this  Act  is  as  follows: 

Sec.  1.  Short  title;  table  of  contents. 
Sec.  2.  Findings  and  purposes. 

TITLE  I— PROTECTION  OF  HEALTH  INFORMATION 

Restrictions  on  uses. 
Restrictions  on  disclosure. 

Standards  for  authorizations  for  use  and  disclosure. 
Safeguards  against  misuse  and  prohibited  disclosures. 

TITLE  II— RIGHTS  OF  PROTECTED  INDIVIDUALS 

Sec.  201.  Right  of  access. 
Sec.  202.  Right  of  correction  and  amendment. 
Sec.  203.  Right  to  review  disclosure  history. 

Sec.  204.  Right  to  notice  of  information  practices  and  opportunity  to  seek  addi- 
tional protections. 

TITLE  III— PERMISSIBLE  DISCLOSURES  OF  PROTECTED  HEALTH 

INFORMATION 


Sec. 

301. 

Provision  of  and  payment  for  health  care. 

Sec. 

302. 

Health  oversight. 

Sec. 

303. 

Public  health. 

Sec. 

304. 

Health  research. 

Sec. 

305. 

Law  enforcement. 

Sec. 

306. 

Judicial  or  administrative  proceedings. 

Sec. 

307. 

Other  disclosures. 

Sec. 

308. 

Redisclosures. 

TITLE  P7— MISCELLANEOUS  PROVISIONS 

Specific  classes  of  individuals. 
False  pretenses. 

Obligations  of  affiliated  persons. 
Prohibition  of  retaliation  with  respect  to  employment. 
Mental  health  and  other  especially  sensitive  information. 
Cessation  of  operations. 

Conforming  amendments  to  Federal  Privacy  Act. 

TITLE  V— GENERAL  PROVISIONS 


Sec. 

501. 

Authority  of  the  Secretary. 

Sec. 

502. 

Enforcement. 

Sec. 

503. 

Relationship  to  other  laws. 

Sec. 

504. 

Definitions. 

Sec. 

505. 

Effective  date. 

3  SEC.  2.  FINDINGS  AND  PURPOSES. 

4  (a)  Findings. — The  Congress  finds  as  follows: 


Sec.  101. 

Sec.  102. 

Sec.  103. 

Sec.  104. 


Sec.  401. 

Sec.  402. 

Sec.  403. 
Sec.  .404. 

Sec.  405. 

Sec.  406. 

Sec.  407. 
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1  (1)  The  right  to  privacy  is  a  personal  and  fun- 

2  damental  right  protected  by  the  Constitution  of  the 

3  United  States. 

4  (2)  Individuals  have  a  right  to  privacy  regard- 

5  ing  their  individually  identifiable  health  information. 

6  (3)  The  improper  use  or  disclosure  of  individ- 

7  ually  identifiable  health  information  about  an  indi- 

8  vidual  may  cause  significant  harm  to  the  interests  of 

9  the  individual  in  privacy  and  health  care,  and  may 

10  unfairly  affect  the  ability  of  the  individual  to  obtain 

11  employment,  education,  insurance,  credit,  and  other 

12  necessities. 

13  (4)  Current  legal  protections  for  health  infor- 

14  mation  vary  from  State  to  State  and  are  inadequate 

15  to  protect  the  privacy  of  an  individual's  health  infor- 

16  mation  and  ensure  fair  information  practices  stand- 

17  ards. 

18  (5)  The  movement  of  individuals  and  health  in- 

19  formation  across  State  lines,  access  to  and  exchange 

20  of  health  information  from  automated  data  banks 

21  and  networks,   and  the  emergence  of  multi state 

22  health  care  providers  and  payers  create  a  compelling 

23  need  for  Federal  law,  rules,  and  procedures  gov- 

24  erning  the  use,   maintenance,   and  disclosure  of 

25  health  information. 
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1  (6)  Federal  rales  governing  the  use,  mainte- 

2  nance,  and  disclosure  of  health  information  are  an 

3  essential  part  of  health  care  reform,  are  necessary  to 

4  support  the  computerization  of  health  information, 

5  and  can  reduce  the  cost  of  providing  health  services 

6  by  making  the  necessary  transfer  of  health  informa- 

7  tion  more  efficient. 

8  (7)  An  individual  needs  access  to  health  infor- 

9  mation  about  the  individual  as  a  matter  of  fairness, 

10  to  enable  the  individual  to  make  informed  decisions 

11  about  health  care,  and  to  correct  inaccurate  or  in- 

12  complete  information. 

13  (b)  Purposes. — The  purposes  of  this  Act  are  as  fol- 

14  lows: 

15  (1)  To  protect  the  privacy  of  health  information 

16  that  reveals  the  identity  of  an  individual. 

17  (2)  To  define  the  rights  and  responsibilities  of 

18  a  person  who  creates  or  maintains  individually  iden- 

19  tillable  health  information  that  originates  or  is  used 

20  in  the  health  treatment  or  payment  process. 

21  (3)  To  define  the  rights  of  an  individual  with 

22  respect  to  health  information  about  the  individual 

23  that  is  created  or  maintained  as  part  of  the  health 

24  treatment  and  payment  process. 
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1  TITLE  I— PROTECTION  OF 

2  HEALTH  INFORMATION 

3  SEC.  101.  RESTRICTIONS  ON  USES. 

4  (a)  In  General. — Use  of  protected  health  informa- 

5  tion  by  health  information  custodians — 

6  (1)  shall  protect  the  reasonable  expectation  of 

7  privacy  of  protected  individuals;  and 

8  (2)  shall  be  in  accordance  with  fair  information 

9  practices. 

10  (b)  Minimum  Requirements. — 

11  (1)  Limitation  on  uses. — Unless  otherwise 

12  authorized  by  a  protected  individual  under  section 

13  103,  a  health  information  custodian  may  use  pro- 

14  tected  health  information  only  for  the  uses  for  which 

15  disclosure  is  authorized  under  title  III. 

16  (2)  Minimum  amount  of  information. — A 

17  health  information  custodian  shall  limit  use  of  pro- 

18  tected  health  information  to  the  minimum  amount 

19  and  duration  necessary  to  accomplish  the  use. 

20  SEC.  102.  restrictions  on  disclosure. 

21  (a)  In  General. — Disclosure  of  protected  health  in- 

22  formation  by  a  health  information  custodian  shall  protect 

23  the  reasonable  expectations  of  privacy  of  protected  individ- 

24  uals. 

25  (b)  Minimum  Requirements. — 
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1  (1)  Limitation  on  disclosures. — A  health 

2  information  custodian  may  not  disclose  protected 

3  health  information  unless — 

4  (A)  the  disclosure  is  authorized  by  the  pro- 

5  tected  individual  under  section  103;  or 

6  (B)  the  disclosure  is  authorized  under  title 

7  III. 

8  (2)  Minimum  amount  of  information. — A 

9  health  information  custodian  shall  limit  a  disclosure 

10  of  protected  health  information  to  the  minimum 

11  amount  of  information  necessary  to  accomplish  the 

12  purpose  for  which  the  information  is  disclosed. 

13  (c)  No  Requirement  To  Disclose. — Nothing  in 


14  this  Act  shall  be  construed  as  requiring  disclosure  of  pro- 

15  tected  health  information  that  is  not  otherwise  required 

16  to  be  disclosed  by  law. 

17  SEC.  103.  STANDARDS  FOR  AUTHORIZATIONS  FOR  USE  AND 

18  DISCLOSURE. 

19  (a)  In  General. — A  health  information  custodian 

20  may  use  or  disclose  protected  information  pursuant  to  an 

21  authorization  by  a  protected  individual  only  if  that  author- 

22  ization  is  based  on  informed  consent  by  the  protected  indi- 

23  vidual. 

24  (b)  Minimum  Requirements. — 
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1  (1)  Prohibition  on  conditioning. — A  health 

2  information  custodian  may  not,  as  a  condition  of 

3  providing-  or  paying  for  health  care,  require  a  pro- 

4  tected  individual  to  execute  an  authorization  for  use 

5  or  disclosure  of  protected  health  information. 

6  (2)  Informed  consent. — For  the  purposes  of 

7  subsection  (a),  an  authorization  shall  not  be  consid- 

8  ered  to  be  based  on  informed  consent  unless,  at  a 

9  minimum,  it  satisfies  the  conditions  in  part  II.D.l  of 

10  the  Secretary's  HIPAA  recommendations  (relating 

11  to  "Disclosure  with  Patient  Authorization:  Author- 

12  ization  Content"). 

13  SEC.  104.  SAFEGUARDS  AGAINST  MISUSE  AND  PROHIBITED 

14  DISCLOSURES. 

15  (a)  In  General. — Health  information  custodians 

16  shall  establish  and  implement  safeguards  against  misuse 

17  and  prohibited  disclosure  of  protected  health  information. 

18  (b)    Minimum    Requirements. — The  safeguards 

19  under  subsection  (a)  shall  include  reasonable  and  appro- 

20  priate  administrative,  technical,  and  physical  safeguards — 

21  (1)  to  ensure  that  protected  health  information 

22  is  used  or  disclosed  only  when  necessary; 

23  (2)  to  ensure  the  integrity  and  confidentiality  of 

24  protected  health  information; 
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1  (3)  to  protect  against  any  reasonably  antici- 

2  pated  threats  or  hazards  to  the  security  or  integrity 

3  of  the  information  or  unauthorized  use  or  disclosure 

4  of  the  information;  and 

5  (4)  otherwise  to  ensure  compliance  with  this 

6  Act. 

7  (c)  Mental  Health  and  Other  Especially  Sen- 

8  sitive  Information. — In  establishing  and  implementing 

9  the  safeguards  under  subsection  (a),  a  health  information 

10  custodian  shall  consider  providing  additional  protections 

11  for  mental  health  and  other  especially  sensitive  protected 

12  health  information,  as  appropriate. 

13  (d)  Relationship  to  Social  Security  Act  Ad- 

14  MINISTRATIVE     SIMPLIFICATION    REQUIREMENTS. — Any 

15  safeguard  established  under  this  section  shall  be  con- 

1 6  sistent  with  the  standards  adopted  by  the  Secretary  under 

17  paragraph  (1)  of  section  1173(d)  of  the  Social  Security 

18  Act  (42  U.S.C.  1320d-2(d))  and  the  requirement  in  para- 

19  graph  (2)  of  such  section. 

20  TITLE  II— RIGHTS  OF 

21  PROTECTED  INDIVIDUALS 

22  SEC.  201.  RIGHT  OF  ACCESS. 

23  (a)  In  General. — Protected  individuals  shall  have 

24  the  right  to  a  reasonable  opportunity  to  inspect  and  copy 
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1  protected  health  information  maintained  by  a  health  infor- 

2  mation  custodian. 

3  (b)  Minimum  Requirements. — Subject  to  section 

4  405(b),  a  health  information  custodian,  at  a  minimum, 

5  shall  provide  a  protected  individual  at  least  as  much  op- 

6  portunity  to  inspect  and  copy  protected  health  information 

7  as  was  recommended  by  the  Secretary  in  part  II. C. 2  of 

8  the  Secretary's  HIPAA  recommendations  (relating  to 

9  "Patient  Inspection  and  Copying  of  Records"). 

1 0  SEC.  202.  RIGHT  OF  CORRECTION  AND  AMENDMENT. 

11  (a)  In  General. — Protected  individuals  shall  have 

12  the  right  to  a  reasonable  opportunity  to  correct  or  amend 

1 3  protected  health  information  maintained  by  a  health  infor- 

14  mation  custodian. 

15  (b)  Minimum  Requirements. — A  health  informa- 

16  tion  custodian,  at  a  minimum,  shall  provide  a  protected 

17  individual  correction  and  amendment  protections  that  are 

18  at  least  equivalent  to  those  recommended  by  the  Secretary 

19  in  part  II. C. 3  of  the  Secretary's  HIPAA  recommendations 

20  (relating  to  "Patient  Correction  of  Records"). 

2 1  SEC.  203.  RIGHT  TO  RE VTEW  DISCLOSURE  HISTORY. 

22  (a)  In  General. — Protected  individuals  shall  have 

23  the  right  to  a  reasonable  opportunity  to  review  a  history 

24  of  the  disclosures  of  protected  health  information  about 

25  the  individual  made  by  a  health  information  custodian. 
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1  (b)  Minimum  Requirements. — A  health  informa- 

2  tion  custodian,  at  a  minimum,  shall  implement  procedures 

3  that  ensure  a  protected  individual  at  least  as  much  oppor- 

4  tunity  to  review  the  individual's  disclosure  histories  as  was 

5  recommended  by  the  Secretary  in  part  II. C. 4  of  the  Sec- 

6  retary's  HIPAA  recommendations  (relating  to  "Disclosure 

7  History"). 

8  SEC.  204.  RIGHT  TO  NOTICE  OF  INFORMATION  PRACTICES 


9  AND  OPPORTUNITY  TO  SEEK  ADDITIONAL 

10  PROTECTIONS. 

11  (a)  In  General. — Protected  individuals  shall  have — 

12  (1)  the  right  to  notice  of  the  information  prac- 

13  tices  of  health  information  custodians;  and 

14  (2)  a  reasonable  opportunity  to  seek  limitations 

15  on  the  use  and  disclosure  of  protected  health  infor- 

16  mation  in  addition  to  the  limitations  provided  in 

17  such  practices. 

18  (b)  Minimum  Requirements. — 

19  (1)  Notice  and  opportunity  to  seek  addi- 

20  tional  PROTECTIONS. — To  the  maximum  extent 

21  practicable,  before  obtaining  protected  health  infor- 

22  mation  from  a  protected  individual,  a  health  infor- 

23  mation  custodian — 

24  (A)  shall  provide  the  protected  individual 

25  with  a  clear  and  conspicuous  notice  of  the 
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1  custodian's  health  information  practices,  which 

2  notice  shall  include,  at  a  minimum,  the  expla- 

3  nation  recommended  in  part  II.C.l  of  the  Sec- 

4  retary's  HIPAA  recommendations  (relating  to 

5  "Explanation  of  Information  Practices"); 

6  (B)  shall  provide  the  protected  individual  a 

7  reasonable  opportunity  to  seek  limitations  on 

8  the  use  or  disclosure  of  protected  health  infor- 

9  mation  in  addition  to  the  limitations  provided  in 

10  such  practices;  and 

11  (C)  shall  obtain  a  signed  acknowledgment 

12  from  the  protected  individual  acknowledging 

13  that  the  notice  required  under  subparagraph 

14  (A)  has  been  provided  to  the  protected  indi- 

15  vidual  and  the  individual  has  been  informed  of 

16  the  opportunity  to  seek  additional  limitations 

17  required  to  be  provided  under  subparagraph 

18  (B). 

19  (2)  Other       health  information 

20  CUSTODIANS. — A  health  information  custodian  who 

21  receives  protected  health  information  about  a  pro- 

22  tected  individual  from  a  source  other  than  the  indi- 

23  vidual  shall  provide  a  notice  of  the  custodian's 

24  health  information  practices  that  is  consistent  with 

25  paragraph  (1)(A)  to  the  individual  upon  request. 
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1  (c)  Compliance. — If  a  protected  individual  seeks 

2  limitations  on  the  use  or  disclosure  of  protected  health  in- 

3  formation  in  addition  to  the  limitations  described  in  a 

4  health  information  custodian's  notice  of  health  informa- 

5  tion  practices,  and  the  custodian  agrees  to  provide  such 

6  additional  limitations,  the  custodian  shall  comply  with 

7  such  additional  limitations,  unless  such  compliance  would 

8  violate  another  provision  of  law. 

9  TITLE     III— PERMISSIBLE  DIS- 

10  CLOSURES    OF  PROTECTED 

1 1  HEALTH  INFORMATION 

1 2  SEC.  301.  PROVISION  OF  AND  PAYMENT  FOR  HEALTH  CARE. 

13  (a)  In  General. — A  health  information  custodian, 

14  to  the  extent  the  Secretary  determines  appropriate,  may 

15  disclose  protected  health  information,  without  obtaining 

16  an  authorization  under  section  103,  for  the  purpose  of 

17  providing  health  care  to  an  individual  or  paying  for  health 

18  care  provided  to  an  individual,  except  as  provided  in  sub- 

19  section  (c). 

20  (b)  Construction. — For  purposes  of  subsection  (a), 

21  a  disclosure  of  protected  health  information  by  a  health 

22  information  custodian  for  the  purpose  of  rendering  an  em- 

23  ployment  decision,  conducting  a  marketing  activity,  or 

24  conducting  an  insurance  underwriting  activity,  shall  not 

25  be  considered  a  disclosure  for  the  purpose  of  providing 
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1  health  care  to  an  individual  or  paying  for  health  care  pro- 

2  vided  to  an  individual. 

3  (c)  Special  Rule  for  Patients  Paying  for 

4  Care. — In  the  case  of  health  care  provided  to  an  indi- 

5  vidual  who  pays  for  the  care  himself  or  herself,  a  health 

6  information  custodian  may  not  disclose  to  a  health  care 

7  payer,  without  obtaining  an  authorization  under  section 

8  103,  protected  health  information  created  or  received  in 

9  the  course  of  providing  such  care. 

10  SEC.  302.  HEALTH  OVERSIGHT. 

11  (a)  In  General. — A  health  information  custodian, 

12  to  the  extent  the  Secretary  determines  appropriate,  may 

13  disclose  protected  health  information  for  the  purpose  of 

1 4  health  oversight,  without  obtaining  an  authorization  under 

15  section  103. 

16  (b)  Minimum  Requirements. — The  Secretary — 

17  (1)  shall  permit  a  health  information  custodian 

18  to  disclose  protected  health  information  to  Federal, 

19  State,  and  local  agencies  (or  affiliated  persons  of 

20  such  agencies)  that  are  authorized  by  law  to  inves- 

21  tigate,  regulate,  enforce  laws  relating  to,  or  license, 

22  certify,  or  accredit  persons  engaged  in,  the  provision 

23  of,  or  payment  for,  health  care;  and 

24  (2)  may  permit  a  health  information  custodian 

25  to  disclose  protected  health  information  to  appro- 

•HR  1941  IH 


14 

1  priate  private  organizations  engaged  in  licensing, 

2  certification,  or  accreditation  of  health  care  pro- 

3  viders. 

4  SEC.  303.  PUBLIC  HEALTH. 

5  A  health  information  custodian,  to  the  extent  the  Sec- 

6  retary  determines  appropriate,  may  disclose  protected 

7  health  information,  without  obtaining  an  authorization 

8  under  section  103— 

9  (1)  to  a  public  health  authority  for  use  in  le- 

10  gaily  authorized  disease  or  injury  reporting,  public 

11  health  surveillance,  or  a  public  health  investigation 

12  or  intervention;  or 

13  (2)  to  a  person  who  is  otherwise  authorized  by 

14  law  or  a  public  health  authority  to  receive  the  infor- 

15  mation  for  public  health  purposes. 

16  SEC.  304.  HEALTH  RESEARCH. 

17  (a)  In  General. — A  health  information  custodian, 

18  to  the  extent  the  Secretary  determines  appropriate,  may 

19  disclose  protected  health  information  for  health  research, 

20  without  obtaining  an  authorization  under  section  103. 

21  (b)  Minimum  Requirements. — A  health  informa- 

22  tion  custodian  may  disclose  protected  health  information 

23  without  such  an  authorization  only  for  uses  that  have  been 

24  approved  by  an  entity  certified  by  the  Secretary. 
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1  (c)  Regulations. — The  Secretary  shall  promulgate 

2  regulations  that,  at  a  minimum — 

3  (1)  require  that,  before  approving  a  use  of  pro- 

4  tected  health  information  for  purposes  of  subsection 

5  (b),  a  certified  entity  shall  determine  that — 

6  (A)  the  importance  of  the  health  research 

7  outweighs  the  intrusion  into  the  privacy  of  the 

8  protected  individuals  who  are  the  subjects  of 

9  the  protected  health  information;  and 

10  (B)  it  would  be  impracticable  to  conduct 

1 1  the  health  research  without  using  the  protected 

12  health  information; 

13  (2)  establish  requirements  for  certifying  entities 

14  that  ensure  that  such  entities — 

15  (A)  meet  the  requirements  for  institutional 

16  review  boards  established  under  section  491(a) 

17  of  the  Public  Health  Service  Act  with  respect  to 

18  information  protection,  use,  and  disclosure;  and 

19  (B)  are  qualified  to  assess  and  protect  the 

20  confidentiality  of  protected  health  information; 

21  and 

22  (3)  require  a  person  conducting  health  research 

23  to  remove  or  destroy  personal  identifiers  at  the  ear- 

24  liest  opportunity  consistent  with  the  purpose  of  the 

25  research,  unless  a  certified  entity  has  determined 
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1  that  there  is  a  health  or  research  justification  for  re- 

2  tention  of  identifiers  and  the  person  has  an  adequate 

3  plan  to  protect  the  identifiers  from  improper  use  and 

4  disclosure. 

5  SEC.  305.  LAW  ENFORCEMENT. 

6  (a)  In  General. — A  health  information  custodian 

7  may  disclose  protected  health  information  to  a  law  en- 

8  forcement  official  for  a  law  enforcement  inquiry  if  the  law 

9  enforcement  official  complies  with  the  fourth  amendment 

10  to  the  Constitution. 

1 1  (b)  Construction. — For  purposes  of  subsection  (a), 

12  all  protected  health  information  shall  be  treated  as  if  it 

13  were  held  in  a  home  over  which  the  protected  individual 

14  has  exclusive  authority. 

15  (c)  Relationship  to  Health  Oversight  Activi- 

16  TIES. — This  section  shall  not  apply  to  a  disclosure  of  pro- 

17  tected  health  information  for  purposes  of  health  oversight. 

1 8  SEC.  306.  JUDICIAL  OR  ADMINISTRATIVE  PROCEEDINGS. 

19  (a)  In  General. — A  health  information  custodian, 

20  to  the  extent  the  Secretary  determines  appropriate,  may 

21  disclose  protected  health  information,  without  obtaining 

22  an  authorization  under  section  103,  pursuant  to — 

23  (1)  a  judicial  or  administrative  subpoena  issued 

24  in  a  civil  administrative  or  judicial  adjudication;  or 
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1  (2)  a  subpoena  issued  by  a  defendant  in  a 

2  criminal  proceeding. 

3  (b)  Minimum  Requirements. — A  health  informa- 

4  tion  custodian  may  not  disclose  protected  health  informa- 

5  tion  about  a  protected  individual  under  this  section,  unless 

6  the  individual  has  had — 

7  (1)  reasonable  notice  of  the  subpoena;  and 

8  (2)  a  reasonable  opportunity  to  move  the  court, 

9  or  other  presiding  official,  to  quash  the  subpoena  on 

10  the  basis  that  the  individual's  privacy  interest  out- 

11  weighs  the  interest  of  the  person  seeking  the  infor- 

12  mation. 

1 3  SEC.  307.  OTHER  DISCLOSURES. 

14  A  health  information  custodian,  to  the  extent  the  Sec- 

15  retary  determines  appropriate,  may  disclose  protected 

16  health  information,  without  obtaining  an  authorization 

17  under  section  103 — 

18  (1)  where  necessary  to  prevent  or  lessen  a  seri- 

19  ous  threat  to  the  health  or  safety  of  an  individual; 

20  (2)  to  a  next  of  kin; 

21  (3)  to  individuals  with  close  personal  relation- 

22  ships  with  the  protected  individual; 

23  (4)  for  purposes  of  directory  information  within 

24  a  health  care  facility;  and 

25  (5)  for  State  data  systems. 
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1  SEC.  308.  REDISCLOSURES. 

2  (a)  In  General. — A  health  information  custodian 

3  who  receives  protected  health  information  through  a  dis- 

4  closure  under  this  title,  to  the  extent  the  Secretary  deter- 

5  mines  appropriate,  may  redisclose  such  information  to 

6  carry  out  the  purposes  for  which  the  information  was  dis- 

7  closed  to  the  custodian. 

8  (b)  Prohibition. — Notwithstanding  subsection  (a), 

9  protected  health  information  received  by  a  health  informa- 

10  tion  custodian  through  a  disclosure  under  this  title  may 

1 1  not  be  disclosed  to  any  person  for  use  in,  or  be  used  in, 

12  any  administrative,  civil,  or  criminal  action  or  investiga- 

13  tion  directed  against  the  protected  individual  who  is  the 

14  subject  of  the  information,  unless — 


15  (1)  the  action  or  investigation  arises  out  of  and 

16  is  directly  related  to  the  purpose  for  which  the  infor- 

17  mation  was  obtained  by  the  custodian;  or 

18  (2)  the  use  or  disclosure  is  authorized — 

19  (A)  by  law  for  the  protection  of  the  public 

20  health;  or 

21  (B)  by  an  appropriate  order  of  a  court  of 

22  competent  jurisdiction,  granted,  after  a  hearing 

23  with  notice  to  the  health  information  custodian 

24  and  to  all  other  affected  individuals,  on  the 

25  basis  that  there  is — 
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1  (i)  probable  cause  to  believe  that  all 

2  other  possible  sources  for  the  information 

3  have  been  exhausted;  and 

4  (ii)  a  specific  and  compelling  public 

5  interest     in     disclosure     or    use  that 

6  outweighs — 

7  (I)  the  privacy  interest  of  the 

8  protected  individual; 

9  (II)  the  effect  of  the  disclosure 

10  on  future  provision  of  health  care;  and 

11  (III)  the  effect  of  the  disclosure 

12  on  health  research  and  health  over- 

13  sight  functions. 

14  TITLE  IV— MISCELLANEOUS 

15  PROVISIONS 

16  SEC.  401.  SPECIFIC  CLASSES  OF  INDIVIDUALS. 

17  (a)  Minors. — Individuals  under  the  age  of  18  shall 


18  have  privacy  protections  regarding  protected  health  infor- 

19  mation  that  are  at  least  equivalent  to  those  recommended 

20  in  part  II. F. 4  of  the  Secretary's  HIPAA  recommendations 

21  (relating  to  "Minors"). 


22  (b)  Agents  and  Attorneys. — 

23  (1)  In  general. — To  the  extent  the  Secretary 

24  determines  appropriate,  a  person  may  exercise  the 

25  rights  of  a  protected  individual  under  this  Act,  if — 
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1  (A)  the  person  is  authorized  by  law  (other 

2  than  on  account  of  minority),  or  by  an  instru- 

3  ment  recognized  under  law,  to  act  for  the  pro- 

4  tected  individual;  or 

5  (B)  the  protected  individual  is  not  capable 

6  of  exercising  his  or  her  rights  under  this  Act 

7  and  there  has  been  no  formal  legal  arrangement 

8  for  others  to  exercise  the  rights. 

9  (2)  Relationship  to  recommendations. — 

10  The  authority  of  such  a  person  to  exercise  the  rights 

11  of  a  protected  individual  shall  be  equivalent  to  the 

12  authority  described  in  parts  II. F. 5  and  II. F. 6  of  the 

13  Secretary's  HIPAA  recommendations  (relating  to 

14  "Powers  of  Attorney"  and  "Patients  Unable  to 

15  Make  Choices  for  Themselves"). 

16  (c)  Deceased  Persons. — Deceased  individuals  shall 

17  have  privacy  protections  regarding  protected  health  infor- 

18  mation  that  are  at  least  equivalent  to  those  recommended 

19  by  the  Secretary  in  part  II.F.l  of  the  Secretary's  HIPAA 

20  recommendations  (relating  to  "Deceased  Persons"). 

2 1  SEC.  402.  FALSE  PRETENSES. 

22  A  person  may  not — 

23  (1)  obtain  or  disclose  protected  health  informa- 

24  tion  from  a  health  information  custodian  or  affili- 

25  ated  person  under  false  pretenses;  or 
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1  (2)  knowingly  disseminate  protected  health  in- 

2  formation  obtained  in  violation  of  this  Act. 

3  SEC.  403.  OBLIGATIONS  OF  AFFILIATED  PERSONS. 

4  An  affiliated  person  shall  be  subject  to  the  same  re- 


5  quirements  with  respect  to  use  and  disclosure  of  protected 

6  health  information  as  apply  to  the  health  information  cus- 

7  todian  with  whom  the  affiliated  person  is  affiliated,  except 

8  that  an  affiliated  person — 


9  (1)  is  subject  to  the  requirements  of  sections 

10  201  and  202  only  if  the  affiliated  person  maintains 

1 1  the  individual's  protected  health  information  and  the 

12  health  information  custodian  does  not  maintain  the 

13  individual's  protected  health  information;  and 

14  (2)  is  subject  to  the  requirements  of  section 

15  203  only  to  the  extent  that  the  affiliated  person 

16  makes  a  disclosure. 

17  SEC.  404.  PROHIBITION  OF  RETALIATION  WITH  RESPECT 

18  TO  EMPLOYMENT. 

19  A  person  may  not  subject  an  individual  to  retaliation, 


20  in  regard  to  job  application  procedures,  the  hiring,  ad- 

21  vancement,  or  discharge  of  employees,  employee  com- 

22  pensation,  job  training,  or  other  terms,  conditions,  and 

23  privileges  of  employment,  for  reporting  to  a  governmental 

24  agency  conditions  that  may  constitute  a  violation  of  a  re- 

25  quirement  under  this  Act. 
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1  SEC.  405.  MENTAL  HEALTH  AND  OTHER  ESPECIALLY  SEN- 

2  SITIVE  INFORMATION. 

3  (a)  Additional  Limitations. — Not  later  than  1 

4  year  after  the  date  of  the  enactment  of  this  Act,  the 

5  Secretary — 

6  (1)  shall  consider,  after  consulting  with  physi- 

7  cians  and  other  health  care  providers,  patients,  and 

8  other  appropriate  groups,  additional  limitations  re- 

9  lating  to  access  to,  and  use  and  disclosure  of,  mental 

10  health  and  other  especially  sensitive  protected  health 

11  information;  and 

12  (2)  shall  promulgate  regulations  to  provide  any 

13  such  additional  limitations  as  the  Secretary  deter- 

14  mines  to  be  appropriate. 

15  (b)  Right  of  Access. — For  purposes  of  subsection 

16  (a)(2),  the  Secretary  may  limit  an  individual's  access  to 

17  his  or  her  mental  health  information,  if  the  information 

18  is  not  used  by,  or  disclosed  to,  any  person  other  than  the 

19  health  care  provider  who  received  or  created  the  informa- 

20  tion. 

21  (c)  Psychotherapist-Patient  Privilege. — Noth- 

22  ing  in  this  Act  shall  be  construed  to  preempt,  supersede, 

23  or  modify  the  operation  of  the  psychotherapist-patient 

24  privilege  recognized  by  the  Supreme  Court  in  Jaffee  v. 

25  Redmond,  518  U.S.  1  (1996). 
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1  SEC.  406.  CESSATION  OF  OPERATIONS. 

2  Not  later  than  1  year  after  the  date  of  the  enactment 

3  of  this  Act,  the  Secretary  shall  promulgate  regulations 

4  that  ensure  that  the  reasonable  expectation  of  privacy  of 

5  protected  individuals  in  protected  health  information  is 

6  maintained  when  health  information  custodians  cease  op- 

7  erations. 

8  SEC.  407.  CONFORMING  AMENDMENTS  TO  FEDERAL  PRI- 

9  VACY  ACT. 

10  (a)  New  Subsection. — Section  552a  of  title  5, 

1 1  United  States  Code,  is  amended  by  adding  at  the  end  the 

1 2  following: 

13  "(w)  Medical  Exemptions. — The  head  of  an  agen- 

14  cy  that  is  a  health  information  custodian  (as  defined  in 

15  section  504  of  the  Health  Information  Privacy  Act)  shall 

16  promulgate  rules,  in  accordance  with  the  requirements  (in- 

17  eluding  general  notice)  of  subsections  (b)(1),  (b)(2), 

18  (b)(3),  (c),  and  (e)  of  section  553  of  this  title,  to  exempt 

19  a  system  of  records  within  the  agency,  to  the  extent  that 

20  the  system  of  records  contains  protected  health  informa- 

21  tion  (as  defined  in  section  504  of  such  Act),  from  all  provi- 

22  sions  of  this  section  except  subsections  (e)(1),  (e)(2),  sub- 

23  paragraphs  (A)  through  (C)  and  (E)  through  (I)  of  sub- 

24  section  (e)(4),  and  subsections  (e)(5),   (e)(6),  (e)(9), 

25  (e)(12),  (1),  (n),  (o),  (p),  (q),  (r),  and  (u).". 

26  (b)  Repeal. — 
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1  (1)  In  general.— Section  552a(f)(3)  of  title  5, 

2  United  States  Code,  as  amended  by  this  Act,  is 

3  amended  by  striking  "pertaining  to  him,"  and  all 

4  that  follows  through  the  semicolon  and  inserting 

5  "pertaining  to  the  individual;". 

6  (2)  Effective  date. — The  amendment  made 

7  by  paragraph  (1)  shall  take  effect  18  months  after 

8  the  date  of  the  enactment  of  this  Act. 

9  TITLE  V— GENERAL  PROVISIONS 

10  SEC.  501.  AUTHORITY  OF  THE  SECRETARY. 

11  (a)  Regulations. — 

12  (1)  In  general. — Not  later  than  1  year  after 

13  the  date  of  the  enactment  of  this  Act,  the  Secretary 

14  shall  promulgate  such  regulations  as  may  be  nec- 

15  essary  to  implement  this  Act,  including  regulations 

16  establishing   recordkeeping   or   reporting  require- 

17  ments.  Such  regulations  may  provide  greater  protec- 

18  tion  of  protected  health  information,  or  more  rights 

19  to  protected  individuals  regarding  such  information, 

20  than  is  provided  by  the  minimum  requirements  set 

21  forth  in  this  Act. 

22  (2)  Protections  for  other  health  infor- 

23  MATION. — The  Secretary  may  promulgate  such  regu- 

24  lations  as  may  be  necessary  to  protect  the  privacy  of 
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1  individually  identifiable  health  information  that  is 

2  not  protected  health  information. 

3  (3)  Consultation. — In  promulgating  regula- 

4  tions  under  this  Act,  the  Secretary  shall  consult  with 

5  elected  State  and  local  government  officials. 

6  (b)  Research  and  Development. — The  Secretary 

7  may  sponsor  or  carry  out  research  and  development  activi- 

8  ties  related  to  the  protection  of  the  privacy  of  individually 

9  identifiable  health  information. 

10  (c)  Public  Awareness  and  Training. — The  Sec- 

11  retary  may  sponsor  or  carry  out  activities  to  inform  pro- 

12  tected  individuals  of  their  rights  under  this  Act  or  to  in- 

13  form  other  persons  of  their  rights  or  responsibilities  under 

14  this  Act.  The  Secretary  may  also  sponsor  or  carry  out 

15  training  to  increase  compliance  with  requirements  under 

16  this  Act. 

17  (d)  Other  Authorities. — The  Secretary  may  hold 

18  hearings,  administer  oaths,  require  the  testimony  or  depo- 

19  sition  of  witnesses,  require  the  production  of  documents 

20  or  the  answering  of  interrogatories,  or  enter  and  inspect 

21  premises  owned  or  controlled  by  health  information 

22  custodians  in  order  to  ensure  compliance  with  this  Act  or 

23  otherwise  further  the  purposes  of  this  Act. 
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1  SEC.  502.  ENFORCEMENT. 

2  (a)  Equitable  Relief. — The  Secretary  may  bring 

3  an  action  in  an  appropriate  court  to  enjoin  a  violation  of 

4  a  requirement  under  this  Act  or  to  obtain  such  other  equi- 

5  table  relief  as   may  be   appropriate  under  the  cir- 

6  cumstances. 

7  (b)  Civil  Money  Penalties. — Any  person  who  the 

8  Secretary  determines  has  failed  to  comply  with  a  require- 

9  ment  under  this  Act  shall  be  subject,  in  addition  to  any 

10  other  penalties  that  may  be  prescribed  by  law,  to  a  civil 

11  penalty  of  not  more  than  $10,000  for  each  such  failure. 

12  The  provisions  of  section  1128A  of  the  Social  Security  Act 

13  (other  than  subsections  (a)  and  (b))  shall  apply  to  the  im- 

14  position  of  a  civil  money  penalty  under  this  subsection  in 

15  the  same  manner  as  such  provisions  apply  with  respect 

16  to  the  imposition  of  a  penalty  under  section  1128A  of  such 

17  Act. 

18  (c)  Criminal  Penalties. — 

19  (1)  In  GENERAL. — Whoever  knowingly  violates 

20  a  requirement  under  this  Act  shall  be  fined  under 

21  title  18,  United  States  Code,  imprisoned  for  not 

22  more  than  5  years,  or  both. 

23  (2)  Monetary  gain. — Whoever  knowingly  vio- 

24  lates  a  requirement  under  this  Act,  with  the  intent 

25  to  sell,  transfer,  or  use  protected  health  information 

26  obtained  through  the  violation  for  profit  or  monetary 
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1  gain,  shall  be  fined  under  title  18,  United  States 

2  Code,  imprisoned  for  not  more  than  10  years,  or 

3  both. 

4  (d)  Civil  Actions. — 

5  (1)  In  general. — 

6  (A)  Injunction  or  damages. — A  pro- 

7  tected  individual  who  is  adversely  affected  by  a 

8  person's  violation  of  a  requirement  under  this 

9  Act  may  bring  an  action — 

10  (i)  to  enjoin  the  violation;  or 

11  (ii)  in  the  case  of  a  knowing  or  neg- 

12  ligent  violation,  to  recover  from  the  person 

13  the  greater  of — 

14  (I)   the   compensatory  damages 

15  (including  nonpecuniary  damages)  in- 

16  curred  by  the  protected  individual  as 

17  a  result  of  the  violation;  or 

18  (II)     liquidated     damages  of 

19  $5,000  per  action. 

20  (B)  Costs  and  attorney's  fees. — A 

21  protected  individual  bringing  an  action  under 

22  subparagraph  (A)  may  recover  the  costs  of  liti- 

23  gation  and  reasonable  attorney's  fees  (including 

24  expert  fees).  The  United  States  shall  be  liable 
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1  for  fees  and  costs  under  this  subparagraph  the 

2  same  as  a  private  person. 

3  (C)  Punitive  damages. — In  the  case  of  a 

4  knowing  violation,  the  person  committing  the 

5  violation  may  also  be  held  liable  for  punitive 

6  damages. 

7  (2)  Time  for  commencing  action. — An  ac- 

8  tion  under  this  subsection  shall  be  commenced  not 

9  later  than  3  years  after  the  date  on  which  the  viola- 

10  tion  was  discovered  or  reasonably  should  have  been 

1 1  discovered. 

1 2  SEC.  503.  RELATIONSHIP  TO  OTHER  LAWS. 

13  (a)  In  General. — 

14  (1)  Federal,  state,  or  local  laws. — The 

15  requirements  under  this  Act  shall  not  preempt,  su- 

16  persede,  or  modify  the  operation  of,  any  Federal, 

17  State,  or  local  law  that  provides — 

18  (A)  greater  protection  of  protected  health 

19  information;  or 

20  (B)  more  rights  to  protected  individuals  re- 

21  garding  such  information. 

22  (2)  Petitions.— 

23  (A)    Advisory    determinations. — Any 

24  person  may  petition  the  Secretary  for  an  advi- 

25  sory  determination  whether  the  operation  of  a 
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1  particular  Federal,  State,  or  local  law  satisfies 

2  the  standard  in  paragraph  (1).  Any  person  who 

3  acts  in  reliance  on  such  advisory  determination 

4  shall  not  be  subject  to  any  penalty  or  liability 

5  under  section  502,  except  as  provided  in  sub- 

6  paragraph  (B). 

7  (B)  Contrary  court  determination. — 

8  If  a  Federal  or  State  court  has  reached  a  deter- 

9  mination  whether  the  operation  of  a  particular 

10  Federal,  State,  or  local  law  satisfies  the  stand- 

11  ard  in  paragraph  (1),  a  person  thereafter  may 

12  not  rely  on  an  advisory  determination  under 

13  subparagraph  (A)  to  the  contrary. 

14  (b)  Specific  Laws. — This  Act  shall  not  be  construed 

15  to  preempt,  supersede,  or  modify  the  operation  of,  any  of 

16  the  following: 

17  (1)  Any  law  that  provides  for  the  reporting  of 

18  vital  statistics  such  as  birth  or  death  information. 

19  (2)  Any  law  that  requires  the  reporting  of 

20  abuse  or  neglect  information  about  an  individual  or 

21  other  information  relating  to  violence  against  an  in- 

22  dividual. 

23  (3)  Subpart  II  of  part  E  of  title  XXVI  of  the 

24  Public  Health  Service  Act  (relating  to  notifications 
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1  of  emergency  response  employees  of  possible  expo- 

2  sure  to  infectious  diseases). 

3  (4)  The  Americans  with  Disabilities  Act  of 

4  1990. 

5  (5)  Any  law  that  establishes  a  privilege  for 

6  records  used  in  health  professional  peer  review  ac- 

7  tivities. 

8  (6)  Any  law  that  requires  the  disclosure  of  pro- 

9  tected  health  information,  if  the  disclosure  is  per- 

10  mitted  under  this  Act. 

1 1  (c)  Department  of  Veterans  Affairs. — The  lim- 

12  itations  on  use  and  disclosure  of  protected  health  informa- 

13  tion  under  this  Act  shall  not  be  construed  to  prevent  any 

14  exchange  of  such  information  within  and  among  compo- 

15  nents  of  the  Department  of  Veterans  Affairs  that  deter- 

16  mine  eligibility  for  or  entitlement  to,  or  that  provide,  bene- 

17  fits  under  laws  administered  by  the  Secretary  of  Veterans 

18  Affairs. 

19  (d)  CONGRESS. — Nothing  in  this  Act  shall  be  inter- 

20  preted  to  affect  the  ability  of  the  Congress,  a  committee 

21  of  the  Congress,  or  the  Members  of  the  Congress  referred 

22  to  in  section  2954  of  title  5,  United  States  Code,  to  obtain 

23  such  information  as  may  be  necessary  for  the  fulfillment 

24  of  the  Congress',  the  committee's,  or  the  Members'  legisla- 

25  tive  or  oversight  functions. 
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1  (e)  Privileges. — A  disclosure  about  a  protected  in- 

2  dividual  made  under  title  III,  or  a  protected  individual's 

3  disclosure  of  protected  health  information  for  the  purpose 

4  of  obtaining,  or  paying  for,  health  care,  may  not  be  con- 

5  strued  as  diminishing,  waiving,  or  otherwise  impairing  any 

6  privilege  that  the  protected  individual  has  in  a  court  of 

7  a  State  or  the  United  States. 

8  SEC.  504.  DEFINITIONS. 


9  For  purposes  of  this  Act: 

10  (1)  Affiliated  person. — The  term  "affiliated 

1 1  person"  means  a  person  who — 

12  (A)  is  not  a  health  information  custodian; 

13  (B)  is  an  agent  or  contractor  of  a  health 

14  information  custodian;  and 

15  (C)  pursuant  to  an  agreement  with  such 

16  custodian,  receives,  creates,  uses,  maintains,  or 

17  discloses  protected  health  information. 

18  (2)   Disclose. — The  term   "disclose",  when 

19  used  with  respect  to  protected  health  information, 

20  means  to  provide  access  to  the  information  to  a  per- 

21  son  other  than — 

22  (A)  the  custodian  or  an  officer  or  employee 

23  of  the  custodian; 

24  (B)  an  affiliated  person  of  the  custodian; 

25  or 
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1  (C)  a  protected  individual  who  is  a  subject 

2  of  the  information. 

3  (3)     Disclosure. — The    term  "disclosure" 

4  means  the  act  or  an  instance  of  disclosing. 

5  (4)  Health  care. — The  term  "health  care" 

6  means — 

7  (A)  any  preventive,  diagnostic,  therapeutic, 

8  rehabilitative,  maintenance,  or  palliative  care, 

9  counseling,  service,  or  procedure — 

10  (i)  with  respect  to  the  physical  or 

11  mental  condition,  or  functional  status,  of 

12  an  individual;  or 

13  (ii)  affecting  the  structure  or  function 

14  of  the  human  body  or  any  part  of  the 

15  human  body,  including  banking  of  blood, 

16  sperm,  organs,  or  any  other  tissue  for  ad- 

17  ministration  to  patients;  or 

18  (B)  any  sale  or  dispensing  of  a  drug,  de- 

19  vice,  equipment,  or  other  item  to  an  individual, 

20  or  for  the  use  of  an  individual,  pursuant  to  a 

21  prescription. 

22  (5)  Health  care  payer. — The  term  "health 

23  care  payer"  means  a  person  who  pays  for  health 

24  care  in  the  ordinary  course  of  business. 
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1  (6)    Health    care    provider, — The  term 

2  "health  care  provider"  means  a  person  who  provides 

3  health  care  in  the  ordinary  course  of  business  or 

4  practice  of  a  profession,  pursuant  to  license,  certifi- 

5  cation,  accreditation,  or  other  legal  authorization. 

6  (7)  Health  information  custodian. — 

7  (A)  In  GENERAL. — The  term  "health  infor- 

8  mation  custodian"  means  a  health  care  pro- 

9  vider,  a  health  care  payer,  or  any  other  person 

10  who  obtains  protected  health  information  as  a 

1 1  result  of  a  disclosure  authorized  under  this  Act. 

12  (B)  Exceptions. — Such  term  does  not 

1 3  include — 

14  (i)  an  affiliated  person; 

15  (ii)  an  individual  who  obtains  pro- 

16  tected  health  information  under  paragraph 

17  (2),  (3),  or  (4)  of  section  307;  or 

18  (hi)  an  individual  who  receives  pro- 

19  tected  health  information  in  a  public  health 

20  intervention  because  the  individual's  health 

21  is  at  risk. 

22  (8)  Health  research. — The  term  "health  re- 

23  search"   means  a  biomedical,   epidemiological,  or 

24  health  services  research  or  statistics  project,  or  a  re- 

25  search  project  on  behavioral  and  social  factors  af- 
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1  fecting  health,  that  is  designed  to  develop  or  con- 

2  tribute  to  generalizable  scientific  or  clinical  knowl- 

3  edge. 

4  (9)  Law  enforcement  inquiry. — The  term 

5  "law  enforcement  inquiry"  means  a  lawful  investiga- 

6  tion  or  official  proceeding  inquiring  into  a  violation 

7  of,  or  failure  to  comply  with,  any  criminal  or  civil 

8  statute  or  any  regulation,  rule,  or  order  issued  pur- 

9  suant  to  such  a  statute. 

10  (10)  Person. — The  term  "person"  includes  an 

1 1  authority  of  the  United  States,  a  State,  or  a  political 

12  subdivision  of  a  State. 

13  (11)  Protected  health  information. — The 

14  term  "protected  health  information"  means  any  in- 

15  formation,  whether  oral  or  recorded  in  any  form  or 

16  medium,  that — 

17  (A)  relates  in  any  way  to  the  past,  present, 

18  or  future  physical  or  mental  health  or  condition 

19  of  a  protected  individual,  the  provision  of  health 

20  care  to  an  individual,  or  payment  for  the  provi- 

21  sion  of  health  care  to  an  individual; 

22  (B)  is  received  or  created  by  a  health  care 

23  provider  in  the  ordinary  course  of  business  or 

24  practice  of  a  profession  or  by  a  health  care 
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1  payer,  or  is  obtained  as  a  result  of  a  disclosure 

2  authorized  under  this  Act;  and 

3  (C)  identifies  the  individual,  or  with  re- 

4  spect  to  which  there  is  a  reasonable  basis  to  be- 

5  lieve  that  the  information  can  be  used  to  iden- 

6  tify  the  individual. 

7  (12)  Protected  individual. — The  term  "pro- 

8  tected  individual"  means  an  individual  who  is  the 

9  subject  of  protected  health  information. 

10  (13)    Secretary. — The    term  "Secretary" 

1 1  means  the  Secretary  of  Health  and  Human  Services. 

12  (14)     Secretary's    hipaa  recommenda- 

13  TIONS. — The     term     "Secretary's     HIPAA  rec- 

14  ommendations"  means  the  recommendations  of  the 

15  Secretary  of  Health  and  Human  Services,  pursuant 

16  to  section  264  of  the  Health  Insurance  Portability 

17  and  Accountability  Act  of  1996,  entitled  "Confiden- 

18  tiality  of  Individually-Identifiable  Health  Informa- 

19  tion"  that  were  submitted  to  the  Committee  on 

20  Commerce  and  the  Committee  on  Ways  and  Means 

21  of  the  House  of  Representatives  and  the  Committee 

22  on  Labor  and  Human  Resources  and  the  Committee 

23  on  Finance  of  the  Senate,  on  September  11,  1997. 

24  (15)  State. — The  term  "State"  includes  the 

25  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 
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1  lands,  Guam,  American  Samoa,  and  the  Northern 

2  Mariana  Islands. 

3  (16)  USE. — The  term  "use",  when  used  with 

4  respect  to  protected  health  information  that  is  held 

5  by  a  health  information  custodian,  means — 

6  (A)  to  use,  or  provide  access  to,  the  infor- 

7  mation  in  any  manner  that  does  not  constitute 

8  a  disclosure;  or 

9  (B)  any  act  or  instance  of  using,  or  pro- 

10  viding  access,  described  in  subparagraph  (A). 

1 1  SEC.  505.  EFFECTIVE  DATE. 

12  The  requirements  under  this  Act  applicable  to  health 

13  information  custodians  and  affiliated  persons  shall  take  ef- 

14  feet  18  months  after  the  date  of  the  enactment  of  this 

15  Act. 
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